Android apps are full of potential leaks, finds study

Oct 22, 2012 by Nancy Owano report
Credit: Sascha Fahl, et al.

(Phys.org)—Many Android apps are capable of falling victim to Man in the Middle (MITM) attacks. How many? Far too many. Thousands of apps in the Google Play mobile market present vulnerabilities because of the way that protocols are implemented—namely, the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). That Android apps are open to malware by now is a yawn-evoking statement if there ever was one, but a new paper provides findings that are making this week's headlines. Computer science researchers from Philipps University of Marburg and Leibniz University of Hannover in Germany showed that Android apps that are used by over 180 million people can expose banking, social networking and email information.

They identified 41 apps available on the Google Play mart that leak sensitive information in traveling between smartphones and servers.
The researchers used a smartphone with 4.0 Ice Cream Sandwich in their investigations. They installed potentially vulnerable apps on the phone and set up a WiFi access point with a Man in the Middle (MITM) SSL proxy. They equipped the SSL proxy with a self-signed certificate or with one that was signed by a trusted CA, but for an unrelated host name. Of the 100 apps selected for manual audit, 41 apps proved to have exploitable vulnerabilities.

They captured credentials for numerous major services. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."

Their paper, testily called "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security," discovered the apps that have SSL code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.

What also troubled the authors was the inability of many people in their survey to even recognize security threats attached to applications. "The results of our online survey with 754 participants showed that there is some confusion among Android users as to which security indicators are indicative of a secure connection, and about half of the participants could not judge the security state of a browser session correctly," they said.

Regarding secure connections, the researchers found that 47.5% of non-IT experts believed to be using a secure connection while the survey was served over HTTP. In addition, 34.7% of participants with prior IT education thought that they were using a secure channel when they were not. Only 58.9% of experts and 44.3% of non-experts correctly identified that they were using a secure or insecure connection when prompted.

In summing up, the authors pointed to a need for more education and easier tools that can enable the secure development of Android apps. They also called attention to the need for research to identify which countermeasures can ensure the right mix of usability, security benefits and economic incentives for large-scale deployment.

Android by the numbers merits that kind of care. Android is the most used smartphone operating system in the world. Building on the contributions of the open-source Linux community and more than 300 hardware, software, and carrier partners, Android has become the fastest-growing mobile operating system. The numbers keep shifting, but Android's market share currently stays over 50 percent. Android users download more than 1.5 billion apps and games from Play each month, and the number is growing.

Explore further: Android gains in US, basic phones almost extinct

More information: Research paper: www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf

Via Arstechnica

Related Stories

Android users get malware with their apps

Mar 02, 2011

(PhysOrg.com) -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was ...

Android mug shots have no lock and key

Mar 04, 2012

(PhysOrg.com) -- If Google loyalists will persist that this Internet Goliath can do no evil, they at least need to admit, based on new evidence this week, that Google can do a lot of mindless harm. A security ...

Recommended for you

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Temple
2.3 / 5 (3) Oct 22, 2012
But they're OPEN!
Grallen
3 / 5 (2) Oct 23, 2012
This basically amounts to "you have the ability to install software on your phone made by bad programmers".......
DarkHorse66
1 / 5 (1) Oct 23, 2012
As I have said before, in an earlier thread: "If it is programmable, it is hackable", especially if you can download or upload to it. Bad or thoughtless programming just makes that easier...and more tempting.
Cheers, DH66

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...